1 Security and privacy for a connected vehicle environment SCMS Overview End Entity Requirements and Interfaces Dean Therriault - GM/CAMP Benedikt Brecht – VWGoA/CAMP [email protected] [email protected]
1
Security and privacy for a connected vehicle environmentSCMS Overview
End Entity Requirements and InterfacesDean Therriault - GM/CAMP
Benedikt Brecht – VWGoA/CAMP
[email protected]@ibr.cs.tu-bs.de
3August 2016 -- CAMP – VSC5 Consortium Proprietary --
Photo Source: Núria i JC via Flickr
establish trust
4
Photo Source Wiertz Sébastien via Flickr
Sign messages & verify signature
5
Photo Source: Independent.co.uk
Ensure privacy
6Photo Source: depositphotos.com
Long-term certificate used in interactions with SCMS
Where does it come from?How does the EE get it?
7
Photo Source: REUTERS/Ricardo Mo
Pseudonym certificate batch
8
Photo Source: Brittni Gee Photography via Flickr
Misbehavior Detection
9
Photo Source: Andy Devlin/NHLI via Getty Images
Penalty / device
revocationDevice should no longer be trusted - MA revokes certificates via Certificate Revocation List (CRL)
10August 2016 -- CAMP – VSC5 Consortium Proprietary --
V2X SCMS Architecture
Root Management Function
Certification Services
Enrollment CA
Pseudonym CA
Linkage Authority 1
Linkage Authority 2
Registration Authority
Location Obscurer Proxy
Misbehavior Authority
CRL Store
CRL Generator
Global Detection
Policy TechnicalSCMS Manager
OBEs ASDs
Device Config. Manager
Legend
Air gapped communicationRegular communicationOut-of-band communication
Not Intrinsically Central
Intrinsically Central
CRL Broadcast
Intermediate CA
ElectorA
Root CA
ElectorB
ElectorC
Policy Generator
All SCMSComponents
Version: Page-1
RSEs
11August 2016 -- CAMP – VSC5 Consortium Proprietary --
SCMS PoC Environment
DevelopASDs
DevelopRSUs
Device Suppliers
Operation Protocols
Set Policies
End Entity User Group
Maintain Source Code Fix Bugs Develop
New SystemCapabilities
SupportRegistration
GeneralSupport
End User Interface
WyomingTampaNYC Ann Arbor
Future Sites
Develop OBUs
Develop Technical
Procedures
Pseudonym Certificate
Generate Credentials
Establish Technical Operations
Provide SCMSTech Support
SCMS POC Governmental Management
SCMS Operation QA & Production
SCMS Technical Management
SCMS POC Development
New Requirements(If necessary)
Connected Vehicle Support Services
Device Reg. & Support
Deployment Sites
Policies/Protocols/
Basic Procedures
New/AlternativeFunctions/Fixes
Software Releases
System Documentation
Procedures, Configurations & Certificates
Policies & Organizational Protocols
Technical Procedures
Implement New
Functions
Support System Evaluation
Test DevicesCertifyDevices
End Entity Security RequirementsCertification Services
Devices For Testing
CertificationDocumentation
Certified Devices
SCMS PoC USDOT Management & Policy Task Force
End User & SCMSTechnical Liasion
Support Incident Studies
National Prototype Policy Development
Analysis of PoC Policies
Adapt & Additional Prototype
Policies
USDOT SCMS Policy
Statement
SCMS PoC Management Environment
12August 2016 -- CAMP – VSC5 Consortium Proprietary --
SCMS “Operations” - Environments
CAMP Dev Stage(part of SoW)
QA Stage(based on existing hardware – part
of the SoW)
Production Stage(part of the SoW)
Root cause foundFix bugBug fixed
Deploy bug-fix Deploy bug-fix
Bug-fix component test Bug-fix integration /
system test
CV pilot use
13
EE basics and interfaces
End Entity Basics
14
EnrollGet Pseudonyms
Communicate<Repeat>
End Entity Basics
15
Enroll
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
Enrollment is the EEs entry point to the SCMS• Enrollment Certificate = long term (life of device)
• Ticket for admission to SCMS• Every EE must be provisioned with an Enrollment
Certificate• part of bootstrap process• Expected to cover the lifetime of EE (OBE, RSE/U)• OEM specific/proprietary
• Enrollment environment governed by SCMS Manager policy
More OBE: wiki.campllc.org/display/SCP/Step+2.2%3A+OBE+EnrollmentMore RSE: wiki.campllc.org/display/SCP/Step+12.2%3A+RSE+Enrollment
16
Manual Enrollment Process
• Manual process will be utilized for initial deployment• Later versions of the system will implement an automated process
CV Pilot Bootstrapping Process
USDO
TCV
Pilo
t De
velo
per
SCM
S Op
erat
or
Phase
2. Review Request
3. Verify Certification
Results
4. Request Approved?
No
Yes 5. Generate Initialization &
Enrollment Data
6. Create Bootstrap ZIP File & encrypt
7. Decrypt & Unzip
Boostrap File
8. Upload Bootstrap Data
to Devices
1. Create Bootstrap Request
9. Request pseudonym certificates
17Photo Source: depositphotos.com
DCM – Secure Environment- ECA provides a one-time, long term enrollment
certificate - OEM can design and implement into existing
mfg. processes- No “interface” to the SCMS
18
Secure Environment for Enrollment
• A documented procedure for performing the enrollment process
• A physically secure location where the enrollment will take place
• One or more authorized devices (computers) for managing the enrollment process
• An activity log or recording of the enrollment operations that were performed
• wiki.campllc.org/display/SCP/Secure+Environment+for+Device+Enrollment
19
Get Pseudonym certs
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
• Pseudonym certs are short lived• Used for BSM authentication and MB
reporting• i-Period = 10140 minutes (1week+1hour)
• j-Value = 20 certs/i-Period (currently could change)
• EE-RA <--> PCA-RA
Requirements & process description: wiki.campllc.org/display/SCP/Use+Case+3%3A+OBE+Pseudonym+Certificates+ProvisioningRequest doc: wiki.campllc.org/display/SCP/RA+-+Request+Pseudonym+Certificate+Batch+ProvisioningDownload doc: wiki.campllc.org/display/SCP/RA+-+Download+Pseudonym+Certificate+BatchAdditional:• wiki.campllc.org/display/SCP/RA+-+Download+.info+file• wiki.campllc.org/display/SCP/RA+-+Download+Local+Policy+File• wiki.campllc.org/display/SCP/RA+-+Download+Local+Certificate+Chain+File
20
Get Application Cert
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
• Application certs are short lived• NO Pseudonymity constraints
required• Validity period can vary (i-period)• One-to-one mapping of PSID and
SSP to enrollment cert• 1 valid application certificate per
application valid at a time • EE-RA <--> PCA-RA
Requirements & process description: wiki.campllc.org/display/SCP/Use+Case+13%3A+RSE+Application+Certificate+ProvisioningRequest doc: wiki.campllc.org/display/SCP/RA+-+Request+Application+Certificate+ProvisioningDownload doc: wiki.campllc.org/display/SCP/RA+-+Download+Application+CertificateAdditional:• wiki.campllc.org/display/SCP/RA+-+Download+.info+file• wiki.campllc.org/display/SCP/RA+-+Download+Local+Policy+File• wiki.campllc.org/display/SCP/RA+-+Download+Local+Certificate+Chain+File
21
Get Identification Cert
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
• Identification certs are short lived• NO Pseudonymity constraints
required• Validity period can vary (i-period)• One-to-one mapping of PSID and
SSP to enrollment cert• 1 valid identity certificate per
application valid at a time • EE-RA <--> PCA-RA
Requirements & process description: wiki.campllc.org/display/SCP/Use+Case+19%3A+OBE+Identification+Certificate+ProvisioningRequest doc: wiki.campllc.org/display/SCP/RA+-+Request+Identification+Certificate+ProvisioningDownload doc: wiki.campllc.org/display/SCP/RA+-+Download+Identification+CertificateAdditional:• wiki.campllc.org/display/SCP/RA+-+Download+.info+file• wiki.campllc.org/display/SCP/RA+-+Download+Local+Policy+File• wiki.campllc.org/display/SCP/RA+-+Download+Local+Certificate+Chain+File
22
Communicate – How?
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
The foundation of V2V safety is based on BSM• J2945/1 - “how to send a BSM”
• Frequency every 100ms using DSRC
23
In the device
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
• Certificate management in the device• Send BSMs as defined in J2945/1
• BSM every 100ms• Change/rotate pseudo cert every 5mins
• Download and store new batches when possible• DSRC, WiFi, Cellular, etc
OBE(magic happens inside)
SCMS
24August 2016 -- CAMP – VSC5 Consortium Proprietary --
Hardware, OS, and Software
• https://wiki.campllc.org/display/SPFR/Hardware%2C+Software+and+OS+Security+Requirements(work in progress eventual standard??)
• Have an HSM (FIPS 140-2 Level 2 [good])• FIPS 140-2 Level 3 [better] (yes more costly)
• Differentiate between (un)priviledged applications
25
EE interface details
• End Entity Requirements Release 1.1 are here: www.its.dot.gov/pilots/pdf/SCMS_POC_EE_Requirements.pdf
“SHOW OF HANDS IF YOU’VE SEEN THIS DOCUMENT!”
• End Entity Requirements Release 1.2 will be here (published soon): wiki.campllc.org/display/SCP/SCMS+CV+Pilots+Documentation
• ASN.1 repository is here: stash.campllc.org/projects/SCMS/repos/scms-asn/browse
26
CV Pilot validity
Enrollment is the EEs entry point to the SCMS- Every EE must be provisioned with an Enrollment Certificate
• CV Pilots supported by “SCMS Operations” project• 5 year duration• All EE CV pilot certs will expire at end of project duration
• All private keys to be destroyed
• EE certificate type• Section 2.1.2.4 of EE Requirements
• RootCA – 70 years / useable for 20• Component CA certs short enough to exercise rollover• Section 2.1.2.6.2 of EE Requirements
• Every EE must conform to J2945/1 when sending BSMs
More: https://wiki.campllc.org/display/SCP/CV+Pilot+Certificate+Expiration+Timelines
27August 2016 -- CAMP – VSC5 Consortium Proprietary --
Revocation handling
• Use Case 5: Misbehavior Reporting –wiki.campllc.org/display/SCP/Use+Case+5%3A+Misbehavior+Reportingwiki.campllc.org/display/SCP/RA+-+Submit+Misbehavior+Report
• Use Case 6: CRL Download –wiki.campllc.org/display/SCP/Use+Case+6%3A+CRL+Downloadwiki.campllc.org/display/SCP/MA+-+Download+CRL
• Use Case 8: OBE CRL Check –wiki.campllc.org/display/SCP/Step+8.4%3A+OBE+CRL+Check
• Use Case 16: RSE CRL Check –wiki.campllc.org/display/SCP/Step+16.4%3A+RSE+CRL+Check
28
Photo Source: slideshare.net
29
Photo Source: Wikimedia Commons/Jean-Pol GRANDMONT
Sources:• Elector-based Root Management System to Manage a Public Key Infrastructure:
http://priorart.ip.com/IPCOM/000245336• A security credential management system for V2V communications, Dec 2013
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6737583• Vehicle Safety Communications Security Studies: Technical Design of the Security
Credential Management System, July 2013• Security Credential Management System Design, April 2012
http://www.its.dot.gov/meetings/pdf/Security_Design20120413.pdf• USDOT CV pilots awarded 2015: http://www.its.dot.gov/pilots/• USDOT Smart City Challenge: https://www.transportation.gov/smartcity• IEEE 1609.2: https://standards.ieee.org/findstds/standard/1609.2-2016.html• IEEE 802.11p: http://standards.ieee.org/getieee802/download/802.11-2012.pdf• SAE J2945/1: http://standards.sae.org/j2945/1_201603/
30
Backup
31
SCMS Trust Relationship
Enrollment CA
Pseudonym CA
Registration Authority
Location Obscurer Proxy
OBEs ASDs
Device Config. Manager
Intermediate CA
Root CA
Version: Page-1
RSEs
32
pseudonym certificate